Itinera makes use of a responsible for the protection of personal data (also known as “Data Protection Officer” or “DPO”). The DPO can be contacted at the following email address dpo@itineraspa.it

NOTICE FOR APPLICANTS FOR EMPLOYMENT PURSUANT TO THE LEGISLATION ON THE PROTECTION OF PERSONAL DATA

1.Treatment of personal data

Pursuant to articles 13 and 14 of the Regulation (EU) 2016/679 regarding the protection of personal data (“GDPR“), we inform you that Itinera S.p.A. (the “Company” or the “Data Controller“), as the data controller, processes your personal data, provided by you and also acquired from third-party sources, on the occasion of selection procedures initiated by the Company.

2.Purpose of this information document

This information allows you to know the nature of your personal data and object of treatment, the purposes and methods of treatment, any recipients of the same as well as the rights that are recognized.

3.Purpose of use of the data

Your personal data are used for selection procedures, in particular, to verify the conditions for hiring and / or starting a collaboration and to follow up on your application.

4.Personal data subject to processing

In particular, the personal data at issue concern: Name, address or other elements of personal identification, data relating to work, social security data, the curriculum of studies and work.

On a possible and exceptional basis, as in the case in which by reason of the establishment of a working relationship it becomes known that the interested party belongs to the protected categories, other personal data may be acquired which, according to the terminology of the law, fall into the category of “sensitive” data, such as those suitable for revealing the racial and ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade union; as well as personal data suitable for revealing the state of health and sexual life.

5.Nature of the conferment

The provision of data is optional and is left to the will of the candidate who, without any solicitation from the Owner, presents his curriculum vitae. About the data subsequently and possibly requested by the Data Controller, failure to provide it makes it impossible to proceed with the verification of the conditions for the selection procedures, the recruitment and / or for the start of the collaboration and, therefore, to any establishment of the relationship with the Data Controller.

6.How to use the data

Personal data can be processed, as well as by electronic means, also with non-automated tools, and the processing is carried out only with operations, as well as with logic and through forms of organization of data strictly indispensable in relation to the aforementioned obligations, tasks or purposes.

7.Circulation of data

The data may be used by the Data Controller’s staff who have been assigned a specific role and who have been given adequate operating instructions in order to avoid loss, destruction, unauthorized access or unauthorized processing of the data. Your personal data will be made accessible only to those who, within the company organization, need it due to their duties or hierarchical position.

The data may also be used by third parties who carry out instrumental activities on behalf of the Data Controller, the latter acting as external data processors and under the direction and control of the Data Controller. The updated list of data processors is available by submitting a request to privacy@itineraspa.it .

8.No communication or dissemination of data

Your personal data will not be disclosed to third parties, nor will it be disseminated to indeterminate subjects.

9.Transfer of data abroad

Your personal data may be transferred abroad to countries belonging to the European Union and to third countries, in this case with the adoption of adequate safeguards aimed at ensuring data protection and the security of transfers. Further information can be requested by writing to privacy@itineraspa.it .

10.Data retention times

The data will be kept for the time necessary for the formalities required for the selection of the candidate and in any case no later than 5 (five) years from their collection, except for the possible establishment of the employment and / or collaboration relationship.

11.No need for consent

Your consent to the processing is not necessary as the processing concerns data contained in the curricula, spontaneously transmitted by the interested parties for the purpose of establishing an employment / collaboration relationship.

12.Holder of the treatment

The data controller is Itinera S.p.A., with registered office in Via M. Balustra, 15 – 15057 Tortona (AL) – Italy, tax code and VAT number 01668980061.

13.Data Protection Officer

The Company employs a person responsible for the protection of personal data (also known as “Data Protection Officer” or “DPO”). The DPO can be contacted through the following communication channel: dpo@itineraspa.it .

14.Exercise of rights

At any time, you can have full clarity on the operations we have reported and, in particular, obtain the cancellation, transformation into anonymous form and blocking of data processed in violation of the law, request updating or rectification or integration, oppose their use, and exercise the other rights provided by law. For this purpose, you can contact privacy@itineraspa.it .

We also remind you that you also have the right to lodge a complaint with the Guarantor Authority for the protection of personal data if you believe that your rights have not been respected or that you have not received a response under the law.

Tortona,
24 May 2018
the Owner
Itinera S.p.A.

NOTICE FOR EMPLOYEES/COLLABORATORS OF THE SUPPLIERS
ACCORDING TO THE REGULATION ON THE PROTECTION OF PERSONAL DATA

1. Background

ITINERA S.p.A. (the “Company“) is carrying out preliminary operations for the selection of potential suppliers, including your company (the “Supplier“), for the provision of works/services/supplies/professional services (collectively the “Services“) and, for the above purpose, it needs to acquire some information about the Supplier and its organization (including information on its employees and collaborators) qualifiable as “personal data” in accordance with Regulation (EU) 2016/679 on the protection of personal data (the “GDPR“).

1.1 Please note that, according to the GDPR, (i) “controller” means the person or legal entity which determines purposes, methods and means of the processing of personal data, including the security profile; (ii) “data subject” means the natural person to whom the personal data belong, thus excluding the legal entity.

1.2 In relation to personal data of Supplier’s employees and collaborators processed by the Company for the management of the relationship with the Supplier, the Company qualifies as the controller for processing of such data (hereinafter, the Company is also referred to as the “Controller”).

1.3 It is the Controller’s duty to inform, in advance, the data subject and the subject with whom the personal data are collected about the processing of personal data.

1.4 In case of relationships amongst legal entities, the information to any data subject involved in the relevant processing – when they work for or perform professional activities in favour of or collaborate with the Supplier and the data of whom can be communicated, known and / or processed by the Controller in execution and in the performance of the main relationship – is released by the Controller through the Supplier itself.

1.5 With this information, the Company, in its role as Controller, informs the data subjects about the purposes and methods of the processing of personal data collected, the scope of their communication and dissemination, as well as the reason of their communication.

1.6 The Supplier undertakes to guarantee to the data subject full knowledgeability of this information.

2. Purposes of processing of personal data

The Company processes personal data of the data subjects in order to:

1. i. acquire preliminary information enabling the evaluation of the Supplier (references of previous works, financial soundness, internal organizational structure, absence of impedimental elements according to law) for the purposes of the latter qualification within the Company’s Supplier Register;
2. ii. evaluate the possibility to establish a contractual relationship with the Supplier in relation to performance of the Services, also by means of the fulfillment of requirements from time to time set forth by applicable law or by the relevant contracts applicable to the specific type of service (works, services, supplies, professional services) and, in this case,

iii. use and manage the Services, as well as for purposes strictly related to those indicated above.

3. Data processed

Identification and contact data, as well as different data relating to employees and/or collaborators of the Supplier and / or individuals who hold positions and roles within the organization of the Supplier, with whom the Company is in contact for the purposes indicated in the previous Paragraph 2 (Purpose of the processing of personal data) are subject to processing.

Furthermore, in the cases provided for by paragraph 2, sub II, judicial data and data concerning relatives of the data subjects may be processed.

4. Processing methods

Personal data are processed both by electronic and by non-automated means.

5. Circulation of data

Data may be used by the Company’s personnel to whom a specific role has been assigned and to whom adequate operating instructions have been given, as well as by third parties carrying out ancillary activities on behalf of the Controller, the latter acting as external processors, acting under the Controller’s direction and control. The updated list of processors is available by submitting a request to privacy@itineraspa.it.

6. Data communication

Furthermore, the data may also be disclosed (i) to other companies of the Group with which specific agreements exist, for shared processing purposes, for administrative and accounting purposes and by the latter used for the same purposes; to public bodies for the fulfilment of legal requirements, as well as (ii) to third parties and companies, such as banks, credit institutions and companies closely linked to the collection of credit; to legal and specific consultants, auditors; credit recovery consultants, administration and contractual advisors. The indicated third parties will act as autonomous data controllers. The updated list of the aforesaid recipients and the categories of data recipients can be obtained by writing to privacy@itineraspa.it .

Personal data are not disclosed to undetermined recipients.

7. Transfer of data abroad

Personal Data of the data subjects may be transferred abroad to countries belonging to the European Union and to third Countries, in this case with the adoption of adequate security measures apt at ensuring data protection and security of transfers. Further information can be provided by writing to: privacy@itineraspa.it .

8. Data retention time

The data will be kept for the duration of the entire contractual relationship and, in any case, for a period not exceeding 10 (ten) years from finalisation thereof or from the date of registration in the Suppliers Register, without prejudice to the statute of limitations and legal deadlines in respect of the consequent rights and in compliance with the consequent obligations.

9. The Controller

The Controller is Itinera S.p.A., with registered office in Via M. Balustra, 15 – 15057 Tortona (AL) – Italy, fiscal code and VAT number 01668980061.

10. Data Protection Officer

The Company has appointed a Data protection officer (the “DPO”). The DPO can b contacted via the following communication channel: dpo@itineraspa.it .

11. Exercise of rights

At any time, the data subjects can have full knowledge of the above-mentioned processing operations and, in particular, obtain the cancellation, anonymization and blocking of data unlawfully processed, request their update or correction or integration, challenge their use and exercise the other rights set forth by law. For this purpose, please contact privacy@itineraspa.it .

Moreover, we remind you that the data subjects also have the right to submit a claim to the Data Protection Authority should they deem that their rights have not been respected or that they have not received a reply according to law.

Tortona,
24th May 2018
ITINERA S.p.A.
(the Owner)

NOTICE TO CORPORATE OFFICERS AND ATTORNEYS IN ACCORDANCE WITH DATA PROTECTION LAW

1. Personal data processing.

In accordance with EU Regulation 2016/679 on the personal data protection (the “GDPR“), effective from 25 May 2018, we inform you that ITINERA (the “Company” or the “Data Controller“), in the capacity of data controller, processes the personal data you provide us following your acceptance of the office of Director / Statutory Auditor / Member of the Supervisory Body pursuant to Legislative Decree 231/01 or your appointment as Attorney of society.

2. Purpose of this policy

This information allows you to know the nature of your personal data and object of treatment, the purposes and methods of treatment, any recipients as well as the rights that are recognized. Also, in consideration of the future changes that may occur on the applicable legislation on personal data, the Company may integrate and / or update, in whole or in part, this information on the Company’s website (https: //www.itinera- spa.it/privacy/).

3. personal data undergoing processing.

The personal data being processed are: name, address or other elements of personal identification of you and your family members or data relating to work, social security data, the curriculum of studies and work as well as, where necessary, the details of the bank account, Its relevance (so-called “common data”). The personal data you provide to us and possibly collected by us from other sources may also be of a sensitive or judicial nature, such as those required for the purpose of submitting offers or even in order to manage, where the conditions exist, any professional insurance policies. in the name of the company of which you are the beneficiary.

In any case, the Company may find it necessary to request personal data other than those falling within the above category and to submit them to processing operations and to communicate them to the recipient bodies indicated in the following Paragraph 7 (Circulation of data), if the provision is:

1. a) imposed by laws, regulations or decisions of authority; or
2. b) necessary and instrumental to the management and execution of the ongoing professional relationship with you;

in the latter case, only the essential data for the indicated purpose will be requested or collected by third parties and will be transmitted to the subjects specified above to allow the relationship in place to be fully implemented.

4. Purpose of personal data processingYour personal data are used by the Company for the purpose of managing your relationship with the Company itself, by way of indication and not exhaustive for the following activities: a) the management of your position; b) communications addressed to you in writing or by telephone made directly with internal staff; c) access to the Company’s intranet; d) verification of the requirements for the office and the inexistence of causes of ineligibility and forfeiture pursuant to the law; as well as, where applicable e) in relation to the information requested from time to time for the purpose of submitting offers, for the correct exercise of pre-qualification activities and / or accreditation activities in the registers / registers / IT platforms of public / private counterparties, in Italy or abroad.

5. Provision of personal data

The provision of your personal data is optional, but it is necessary and / or mandatory for the management of the professional relationship that binds you to the Company and to fulfil regulatory obligations. Failure, partial or incorrect communication of your personal data may result in the inability to execute the aforementioned relationship.

6. Processing method

Your data are used not only by electronic means but also by paper means.

7. Data traffic
   • The data may be used by Company personnel who have been assigned a specific role in relation to the processing and who have been given adequate operating instructions. Your personal data will be made accessible in colours who, within the company organization, need it due to their duties or hierarchical position.

• Your personal data may also be processed by third parties to whom the Company entrusts the activities or services (or part of them) for the pursuit of the purposes indicated in this information, or third parties to whom the Company is required to communicate the your data in compliance with the applicable legislation. These subjects will operate, depending on the case, as data processors or as independent data controllers and are typically included in the following categories:

1. a) institutions, bodies and / or public authorities (Courts, supervisory and control authorities, etc ..);
2. b) public and / or private clients.
3. c) members of the corporate bodies of the Company.
4. d) companies belonging to the same group as the Company.
5. e) auditing company.
6. f) companies / service centres, professional firms or freelancers for consultancy and assistance in corporate activities and / or transactions and related activities.
7. g) companies or persons for the management and maintenance of information systems;
8. h) banks, credit institutions, factoring companies and credit collection companies;

1. companies or professionals appointed by the Company to manage your insurance relationship (where applicable).

7.3 The third parties may also be established abroad, in EU or non-EU countries. In the latter case, the transfer of data is carried out by virtue of the existence of a decision by the European Commission on the adequacy of the level of data protection of the non-EU country or on the basis of the appropriate and appropriate guarantees provided for by Articles 46 or 47 of the GDPR (eg signing of the “standard clauses” of data protection adopted by the European Commission) or the additional conditions of legitimacy for the transfer provided for by art. 49 of the GDPR. For more information on the possible transfer of your personal data outside the European Union, you can write to privacy@itineraspa.it.

Your personal data are not disclosed to undetermined recipients.

8. No need for consent

The consent to the processing of the aforementioned data is not necessary as their use is a function of the execution of the relationship of which you are a part.

9. Data controller

The data controller is Itinera S.p.A., with registered office in Via M. Balustra, 15 – 15057 Tortona (AL) – Italy, tax code and VAT number 01668980061.

10. Data Protection Officer

Itinera makes use of a responsible for the protection of personal data (also known as “Data Protection Officer” or “DPO”). The DPO can be contacted at the following email address dpo@itineraspa.it

11. Exercise of the rights

Upon the fulfillment of the conditions and within the limits of the applicable legislation, you may exercise the following rights in relation to the processing of your personal data: (i) the right to access personal data and information on the related processing; (ii) right of rectification if personal data are inaccurate or incomplete; (iii) the right to obtain the cancellation of personal data; (iv) right to object to the processing of personal data; (v) right to limit the processing of personal data; (vi) the right to obtain the transfer of personal data to other companies or organizations and / or to receive personal data in a structured format, commonly used and readable by an automatic device. The aforementioned rights may be exercised by contacting privacy@itineraspa.it.

If you find any irregularities in the processing of your personal data, you can lodge a complaint with the Guarantor for the protection of personal data, in the manner indicated on the website of the Guarantor (www.garanteprivacy.it).

ITINERA S.p.A.

Late update: 10/05/2021